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A data word is a sequence of pairs of a letter from a finite alphabet and an element from an 
infinite set, where the latter can only be compared for equality. Safety one-way alternating 
automata with one register on infinite data words are considered, their nonemptiness is shown 
ExpSPACE-complete, and their inclusion decidable but not primitive recursive. The same com- 
plexity bounds are obtained for satisfiability and refinement, respectively, for the safety fragment 
of linear temporal logic with freeze quantification. Dropping the safety restriction, adding past 
temporal operators, or adding one more register, each causes undecidability. 

Categories and Subject Descriptors: F.4.1 [Mathematical Logic and Formal Languages]: 
Formal Languages — Decision problems; F.l.l [Computation by Abstract Devices]: Models 
of Computation — Automata 

General Terms: Algorithms, Verification 



1. INTRODUCTION 

Context. Logics and automata for words and trees over finite alphabets are rel- 
atively well-understood. Motivated partly by the need for formal verification and 
synthesis of infinite-state systems, and the search for automated reasoning tech- 
niques for XML, there is an active and broad research programme on logics and 
automata for words and trees which have richer structure. 

Segoufin's survey [Segoufin 2006] is a summary of the substantial progress made 
on reasoning about data words and data trees. A data word is a word over a finite 
alphabet, with an equivalence relation on word positions. Implicitly, every word 
position is labelled by an element ("datum") from an infinite set ("data domain"), 
but since the infinite set is equipped only with the equality predicate, it suffices 
to know which word positions are labelled by equal data, and that is what the 
equivalence relation represents. Similarly, a data tree is a tree (countable, unranked 
and ordered) whose every node is labelled by a letter from a finite alphabet, with 
an equivalence relation on the set of its nodes. 

It has been nontrivial to find satisfactory specification formalisms even for data 
words. First-order logic was considered in [Bojahczyk et al. 2006; David 2004], and 
related automata were studied further in [Bjorklund and Schwentick 2007]. The 
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logic has variables which range over word positions ({0, . . . , I — 1} or N), a unary 
predicate for each letter from the finite alphabet, and a binary predicate x ~ y for 
the equivalence relation that represents equality of data labels. F0 2 (~,<,+I) 
denotes such a logic with two variables and binary predicates x + 1 = y and 
x < y. Over finite and over infinite data words, satisfiability for F0 2 (~,<,+I) 
was proved decidable and at least as hard as reachability for Petri nets [Bojahczyk 
et al. 2006]. The latter problem is ExpSPACE-hard [Lipton 1976], but its ele- 
mentarity is still an open question. Elementary complexity of satisfiability can 
be obtained at the price of substantially reducing the navigational power: over fi- 
nite data words, NExpTiME-completeness for F0 2 (^, <) was established in [David 
2004] and 3NExpTlME-membership for F0 2 (~, +1) follows from [Bojanczyk et al. 
2006]. In the other direction, if F0 2 (~, <, +1) is extended by one more variable, 
+1 becomes expressible using <, but satisfiability was shown undecidable already 
for F0 3 (~, +1) [Bojaficzyk et al. 2006]. 

An alternative approach to reasoning about data words is based on automata 
with registers [Kaminski and Francez 1994]. A register is used for storing a datum 
for later equality comparisons (i.e. an equivalence class for later membership test- 
ing) . Nonemptiness of one-way nondeterministic register automata over finite data 
words has relatively low complexity: NP-complete [Sakamoto and Ikeda 2000] or 
PSPACE-complete [Demri and Lazic 2009], depending on technical details of their 
definition. Unfortunately, such automata fail to provide a satisfactory notion of 
regular language of finite data words, as they are not closed under complement 
[Kaminski and Francez 1994] and their nonuniversality is undecidable [Neven et al. 
2004]. To overcome those limitations, one-way alternating automata with 1 regis- 
ter (for short, I ARAi) were proposed in [Dcmri and Lazic 2009]: they are closed 
under Boolean operations, their nonemptiness over finite data words is decidable, 
and future-time fragments of temporal logics such as LTL or the modal /x-calculus 
extended by I register are easily translatable to such automata. However, nonempti- 
ness for lARAi turned out to be not primitive recursive over finite data words, and 
undecidable (more precisely, n"-hard) over infinite ones with the weak acceptance 
mechanism [Muller et al. 1986] and thus also with Biichi or co-Biichi acceptance. 

Contribution. We consider one-way alternating automata with 1 register with 
the safety acceptance mechanism over infinite data words (i.e. data w-words). The 
languages of such automata are safety properties [Alpern and Schneider 1987] : every 
rejected data w-word has a finite prefix such that every other data cj-word which 
extends it is also rejected. (Over finite data words, safety is not a restriction.) 

The main result is that nonemptiness of safety lARAi is in ExpSpace. We say 
that a sentence of LTL is safety iff each occurrence of the 'until' operator is under 
an odd number of negations. In particular, each 'eventually' (resp., 'always') must 
be under an odd (resp., even) number of negations. By showing that the safety 
fragment of future-time LTL with I register is translatable in logarithmic space 
to safety lARAi, and that satisfiability for the fragment is ExpSPACE-hard, we 
conclude ExpSPACE-completeness of both problems. 

The ExpSpace upper bound is surprising since even decidability is fragile: by 
[Demri and Lazic 2009, Theorem 5.2], satisfiability for future-time LTL with 1 
register on data cj-words is Il^-hard, and from the proof of [Demri and Lazic 2009, 
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Theorem 5.4], the same is true for the safety fragment if past temporal operators 
or one more register are added (cf. related undecidability results in [Neven et al. 
2004; David 2004]). Moreover, nonemptiness of safety forward (i.e. downward and 
rightward) alternating automata with 1 register on data trees was shown decidablc 
but not elementary [ Jurdzihski and Lazic 2007] . Another setting where decidability 
[Ouaknine and Worrell 2006] was obtained by restricting to safety sentences is 
that of metric temporal logic on timed w-words, but the complexity is again not 
elementary [Bouyer et al. 2008]. 

The proof of ExpSPACE-membcrship is in two stages. The first consists of trans- 
lating a given safety lARAi A to a nondeterministic automaton with faulty counters 
Ca which is on to- words over the alphabet of A and which is nonempty iff A is. 
The counters of Cj\_ are faulty in the sense that they are subject to incrementing 
errors, i.e. they can spontaneously increase at any time. Although a nonemptiness- 
preserving translation from lARAi with weak acceptance to counter automata 
with incrementing errors was given in [Demri and Lazic 2009] , applying it to safety 
lARAi produces automata with the Biichi acceptance mechanism, where the latter 
ensures that certain loops cannot repeat infinitely due to incrementing errors. To 
obtain safety automata, we enrich the instruction set by nondeterministic trans- 
fers. When applied to a counter c and a set of counters C, such an instruction 
transfers the value of c to the counters in C, nondeterministically splitting it. Thus 
we obtain C4 whose nonemptiness amounts to existence of an infinite computation 
from the initial state. However, a further observation on the resulting automata 
is required: the counters of such an automaton are nonempty subsets of a certain 
set (essentially, the set of states of the given safety lARAi), and it suffices to use 
nondeterministic transfers which are simultaneous for all counters and which have 
a certain distributivity property in terms of the partial-order structure of the set 
of all counters. 

The second stage of the proof is then an inductive counting argument which 
shows that C4 is nonempty iff it has a computation from the initial state of length 
doubly exponential in the size of A. Some of the techniques are also used in the 
proof that termination of channel machines with occurrence testing and insertion 
errors is primitive recursive [Bouyer et al. 2008]. Although counters are simpler 
resources than channels, the class of machines considered do not have instructions 
which correspond to the nondeterministic transfers, and the sets of channels and 
messages (which are counterparts to the sets of counters) have no special structure. 

We also show that language inclusion between two safety lARAi is decidablc, 
and hence that refinement (i.e., validity of implication) between two sentences of 
safety future-time LTL with 1 register is also decidable. Since the safety fragment is 
closed under conjunctions and disjunctions, it follows that satisfiability is decidablc 
for Boolean combinations of safety sentences. The latter is thus a competing logic 
to F0 2 (^, <, +1) on data cj-words. They are incomparable in expressiveness: there 
exist properties involving the past (e.g. 'every b is preceded by an a with the same 
datum') which are expressible in F0 2 (^, <, +1) but not by a Boolean combination 
of safety sentences (not even in future-time LTL with 1 register), and the reverse 
is true of some constraints involving more than 2 word positions (e.g. 'whenever 
a is followed by b with the same datum, c does not occur in between'). However, 

ACM Journal Name, Vol. V, No. N, Month 20YY. 



4 • R. Lazic 



as pointed out above, it is not known whether satisfiability for F0 2 (~,<,+1) is 
elementary, whereas we establish that already satisfiability for negations of safety 
sentences is not primitive recursive, and hence also universality for safety lARAi. 

2. PRELIMINARIES 

In this section, we define safety one-way alternating automata and safety future- 
time linear temporal logic with 1 register on data w-words, as well as the class 
of counter automata that will be used in the proof of ExpSPACE-membership in 
Section 3. We also show some of their basic properties, in particular a logarithmic- 
space translation from the linear temporal logic to the alternating automata. 

2.1 Data Words 

A data u-word a over a finite alphabet E is an w-word str(a) over E together with 
an equivalence relation ~ a on N = {0, 1, . . .}. We write N/ ^ a for the set of all 
classes of ^ a . For i G N, we write a{i) for the letter at position i, and for the 
class that contains i. When a is understood, we may write simply ~ instead of ^ a . 
We shall sometimes refer to classes of ~ as 'data'. 

In some places, we shall also need the concept of a finite data word. For i > 0, the 
i-prcfix of a data w-word a is the finite data word whose letters are cr(0) • • • <r(i — 1) 
and whose equivalence relation is ~ <T restricted to {0, . . . , i — 1}. 

2.2 Register Automata 

The definition of safety one-way alternating 1-register automata below is based on 
the more general one of weak two-way alternating register automata in [Demri and 
Lazic 2009] . A configuration of such an automaton at a position i of a data w-word a 
will consist of one of finitely many automaton states and a register value D G N/ ~. 
From it, depending on the state, the letter a(i), and whether D = [i]^ (denoted 
t) or D ^ [i]^ (denoted f), the automaton chooses a pair Q',Q'^ of sets of states. 
The resulting set of configurations at the next word position is {(q',D) : q' G 
Q'} U {(q' , [i]^) : q' G Q'\}, i-c. the states in Q' are associated with the old register 
value, and the states in Q'^ with the class of position i. Following [Brzozowski and 
Leiss 1980] , what choices of pairs of sets of states are possible will be specified in 
each case by a positive Boolean formula. That formalisation, in contrast to listing 
all possible such choices, will enable a logarithmic-space translation from safety 
future-time LTL with 1 register. 

An infinite run of the automaton will consist, for each j G N, of a set Fj of all 
configurations at position j. For each j, Fj + \ will be the union of some sets of 
configurations chosen as above for each configuration in Fj . Hence, a configuration 
will be rejecting when its set of possible choices is empty, and it will be accepting 
when it can choose Q' = Q'^ = 0. The definition of infinite runs will ensure that 
they cannot contain rejecting configurations, so the safety acceptance mechanism 
will amount to each infinite run being considered accepting. 

Formally, for a finite set Q, let J. Q = {J. q : q G Q}, and let B*(Q) denote the 
set of all positive Boolean formulae over Q U J. Q, where we assume that Q and 
I Q are disjoint: 

<p ::= q \ iq \ T \ ± \ <f A ip \ ipV <p 
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A safety one-way alternating automaton with 1 register (shortly, safety lARAi) 
A is a tuple (E, Q, qi, 5) such that: 

— E is a finite alphabet; 

— Q is a finite set of states, and qi £ Q is the initial state; 
— 6 : (Q x E x {t, f}) -> (Q) is a transition function. 

Satisfaction of a positive Boolean formula over Q U J, Q by a pair of sets Q',Q'± C 
Q is defined by structural recursion: 

Q'.QJ, \= iq U q£Q[ Q',Q[^± 
Q',Q\ \= ip A tp' Q',Q'± \= ip and Q',Q[ \= iff 

A configuration of A for a data word a is an element of Qx ({j : < j < \<t\}/ ~). 
For a position < i < |<r|, and finite sets F and i 7 " of configurations, we write 

F ^ F' iff, for each (q,D) £ F, there exist Q^ D \Q[ q ' D) C Q which satisfy the 
formula <5(g, ct(z), t) if D — [i]^, or the formula S(q,a(i), tf) if D ^ such that 

F' = {(q',D) : (q, D) £ F A q' £ Q^} U {(q' , : (q, D) £ F A q' £ Q { ^ D) } 

We say that ^4. accepts a data cj-word cr over E iff it has an infinite run Fq — \ 
Fi — > • • • where F a = {(?/, [0]^)} consists of the initial configuration. We write 
L(A) for the language of A, i.e. the set of all data cj-words over E that A accepts. 

Example 2.1. A safety lARAi with alphabet {a, 6, c} and three states is depicted 
in Figure 1. It rejects a data w-word iff there is an occurrence of a, a subsequent 
occurrence of b with the same datum, and an occurrence of c between them. 

The automaton is deterministic, except for the universal branching from state q 
at letter a. When behaviour does not depend on whether the class in the register 
equals the class of the current position, the two cases are not shown separately. In 
particular, we have S(q, a, t) = S(q, a, f) = q A lq' . The absence of a transition from 
q" labelled by b and t means that we have rejection in that case, i.e. 5(q", b, f) = -L. 

A set L of data w-words over an alphabet E is called safety [Alpern and Schneider 
1987] iff it is closed under limits of finite prefixes, i.e. for each data w-word a, if for 
each i > there exists a[ £ L with the i-prefixes of a and a[ equal, then <r £ L. 1 



Hence, a set is safety iff it is closed with respect to the Cantor metric, where the distance between 
two words is inversely proportional to the length of their longest common prefix. 
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Proposition 2.2. The language of each safety 1ARA\ is safety. 
PROOF. Suppose that A is a safety lARAi, and for each i > there exists 
o J i G L(A) such that the i-prefixes of a and a\ are equal. For each i, let F-' 

^4 ... be an infinite run of A with F- = {(qi, [0]^)}. For each < j < i, 

let F-j be obtained from F-j by replacing each class D' of with the class D of 
a such that D' n {0, . . . , i — 1} = D (~1 {0, . . . , i — 1}. Now, consider the tree formed 
by all the sequences (Fj ■ : < j < i) for i > 0. The tree is finitely branching, so 
by Konig's Lemma, it contains an infinite path (Fj : j G N). It remains to observe 

that F F x ^4 . . . and F = {(qi, [0]^}}. □ 

Given safety lARAi Ai and A2 with alphabet E, it is easy to construct an 
automaton which recognises L(Ai) n L(_4 2 ) (resp., L(Ai) U L(_4 2 )). It suffices to 
form a disjoint union of Ai and A2, and add a new initial state qi such that 
5(qi,a,l) = 6(q},a,?) A S(qj,a,?) (resp., 6(qi,a,?) = S(qj, a, ?) V %f , a, ?)) for 
each a G E and ? G {t, f}, where qj and qj are the initial states of Ai and .4 2 . We 
thus obtain: 

Proposition 2.3. Safety 1ARA\ are closed under finite intersections and finite 
unions, in logarithmic space. 

2.3 Linear Temporal Logic 

Safety LTL^(X,R) will denote the safety fragment of future-time linear temporal 
logic with 1 register, whose syntax is given below. Each formula is over a finite 
alphabet E, over which the atomic formulae a range. By restricting ourselves to 
formulae in negation normal form, the safety restriction amounts to the 'release' 
temporal operator being available instead of its dual 'until'. The formulae may also 
contain the 'next' temporal operator. A freeze quantification l<f) binds each free 
occurrence of t in <p. Such an occurrence will evaluate to true iff the word position 
at the time of the freeze quantification and the word position when the occurrence 
of t is evaluated are in the same class. 

0::=a|T|±|0A0|0V0|X0| 0R</> \ U \ t \ f 

The 'always' temporal operator can be introduced by regarding Gcj) as an abbrevi- 
ation for _LR</>. 

For a data w-word a over a finite alphabet E, a position i G N, a register value 
D G N/ ~, and a formula (j) over E, writing <r, i \=d 4> will mean that (j) is satisfied 
by a at i with respect to D. The satisfaction relation is defined as follows, where 
we omit the Boolean cases. 

cr, i \=d a <=> <r(i) = a 
a,i \= D X</> <=> a,i + l \=d <j> 
a,i \=d ffiip ^ cither for all k > i, a,k \=d ip, or for some j > i, 
°~-,3 \=d <fi an d for all k G {i, . . . , j}, o-,k \=n tp 
a,i \= D {4> <=> a,i cj> 
<j,i \= D t & * G D 
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a, i \= D f U i<£ D 



If is a sentence, i.e. contains no free occurrence of t, we may omit D since it is 
irrelevant and write a, i \= (j>. Let L(<^>) denote the language of <fi, i.e. the set of all 
data d- words over E such that a, |= <f>. 

Example 2.4. Consider the following sentence (f> over alphabet {a,b,c}: 



We have a, |= <j> iff, for each occurrence of a in a and each later occurrence of c, 
there is no later still occurrence of b with the same datum as the occurrence of a, 
i.e. iff a is accepted by the automaton in Example 2.1. 

Theorem 2.5. For each sentence 4> of safety LTL,\(X.,R), a safety 1ARA 1 A<f, 
with the same alphabet and L(</>) = L(A<p) is computable in logarithmic space. 

Proof. The translation is a straightforward adaptation of the classical one from 
LTL to alternating automata (cf. e.g. [Vardi 1996]). 

To define A$ with alphabet £ of (f>, let the set of states Q consist of all <jy such 
that </>' is either cj>, or ip for a subformula Xip of <fr, or a subformula ipRx of cj>. Let 
the initial state be q^. The transition function is obtained by restricting to Q the 
function defined below by structural recursion over the set of all where <p' is 
a subformula of <j). The dual cases are omitted, and ? ranges over {t, f}. In the 
formula for each occurrence of a state q' without 4- is substituted by lq' . 

d(q a ,a,7) = T (5(^ Ax , a, ?) = 8{q^, a, ?) A S(q x , a, ?) 

5(q a ,a',7) = ±,fora'^a 5(q 1 ^,,a,?) = qty 



That Acf, is computable in logarithmic space follows by observing that, for each 
subformula <j>' of 0, a £ E, and ? £ {|, ^}, a single traversal of <p' suffices for 
computing d(q l j > >, a, ?). 

Equality of the languages of <p an d A$ is implied by the following claim: for 
each subformula <fi' of 0, data w-word a over £, position i £ N, and register value 
D £ N/ ~, we have a, i \=d <t>' iff, for some Q',Q'± C Q such that Q',Q'± \= 
5(q<t,<,o-(i),t) if D = or such that Q',<5^ |= S{q <t> > ,a{i), f) \i D ^ A<j, has 
an infinite run from position i + 1 of <r, starting with 



(If gy is a state of .A^, the latter is equivalent to A^ having a run from position 
i of a, starting with {(gy, D)}.) The claim is provable by structural induction on 
4>' . We treat explicitly the two interesting cases: <j>' = ipRx ancl 4>' = W'- 

Suppose a, i \=d ^X- If V f° r some j > i, and cr, k X for all 

fc £{«,.. . , j}j then by the inductive hypothesis: 

(i) for some Q',Q'± C Q such that Q' } Q'^ \= S(q^,a(j),'[) if D = [j]^, or such that 
Q', h <Kj')> /D if ^ ^ A* has an infinite run F' j+l ^ Fj +2 ^ 



G(6 V c V |XG(a V b V XG(a V c V ;f))) 



5{qr,a,l) = T 
<5(g T ,a,t) = T 
S(q t ,a, t) = -L 



<f(« w ,a,?) d - f <5(^,a,t)[W/9' : 5'eQ] 



{<</,£> : g'£Q'} U {<gr\[i]~> = G Qx} 
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• • • with 

F' j+1 = {(q',D) : q' E Q'} U {(</, [jU : </ E Q\] 

(ii) for all k E {i,...,j}, for some Q k ,Q k C Q such that Q k ,Q k |= <5(<7 X , cr(fc), |) 
if D = [k]^, or such that Q k , Q k |= S(q x ,a(k), %) ii D ^ [k]~, A<$> has an infinite 

run^ +1 ^^ +2 ^ 2 ...with 

F k +1 = {(q',D) : </ G Q fc } U {(q' , [k]„) : £ Q\} 

Letting F/ = {(q^ Kx ,D)} U Ufce{i,...,j-i} ^ for each 1 e {*>• ••>.?}> and ^/ = 

U fee{j J} if U F[ for each / > j + 1, we have by (i) and (ii) that F} ^4 F} +1 ^ 

• • • and F- — {(q^,R X , D)}, as required. If <r, k \=d X f° r au k > i, the argument is 
simpler. 

For the converse, suppose A<p has an infinite run Fj — > "I'i. 1 . . . with Fj = 
{{qi{,R X , D}} . If there exists j > i with {q^ x ,D) £ Fj +1 , consider the minimum 
such j. Since 5(q^ Xl a, ?) = S(q x ,a, ?) A (5(q^,a, ?) V q-if,K X ), we obtain: 

(iii) for some Q',Q'^ C Q such that Q',Q'^ \= S(q t p, cr(j), t) if D = [j]^, or such 
that Q', h S{q^,a(j), f)XD± we have 

{(</,£) : </ £ Q'} U {<<?', [j].) : q' E Q[} C Fj +1 

(iv) for all k E {i, . . . , j}, for some Q k , C Q such that Q*, |= <5(g x , cr(fc), f) 
if D = [k]^, or such that Q k , Q k |= 8(q x ,cr(k), f) if D / [fc]^, we have 

{<(/,£>) : <?' E Q k } U {<</, [*;]„) : q' E Q k } C ^ +1 

By considering subruns starting with the sets of configurations in (iii) and (iv), 
and the inductive hypothesis, it follows that a,j \=d ip, and a, k \=d X for all 
k E {i, . . . , j}, so a, i \=d tpRx as required. If (q^,R X ,D) E Fj +1 for all j > i, the 
argument is again simpler. 

For case <p> — lip, we have a,i \=d lip iff a, i \=[i]^ ip- By the inductive 
hypothesis, that is iff: 

(v) for some , Q| C Q such that , Q| |= 8{q q p,a{i),l), A,p has an infinite run 
from position i + 1 of a, starting with {(q' ', [i]^) : e Q* U 

On the other hand, having an infinite run from position i + 1 of a, starting with 

{(q',D) : q'EQ'} U {{q' : q' G Q\] 

for some Q',Q'^ C Q such that Q',Q'^ |= (5(g^, cr(z), t) if -D = [i]^, or such that 
Q\Q'l h= <5(94.V" /f) if -D 7^ [«]~, is equivalent to: 

(vi) for some C Q such that |= <5(^, <r(i), t)[V/^ = G Q], -^0 
has an infinite run from position i + 1 of a, starting with 

{(q',D) : q' EQ'} U {(</, [»]„) : 9 ' £ Q^} 

It remains to observe that Q', |= 8(q^,a(i), t)[W/q' ■ q' & Q] iff Q[ = Q f U Q} 
for some Qf,Q| |= 5{q^, a(i), t), so (v) and (vi) are equivalent. □ 
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2.4 Counter Automata 

We introduce below a class of nondeterministic automata on w-words which have e 
transitions and N-valued counters. The set of counters of such an automaton will 
have structure: there will be a finite set called the basis of the automaton, and each 
counter will be a nonempty subset of the basis. In the course of a transition, the 
automaton will be able either to increment a counter, or to decrement a counter if 
nonzero, or to perform a simultaneous nondeterministic transfer with respect to a 
mapping / from counters to sets of counters. The latter transfers the value of each 
counter c to the counters in /(c), nondctcrministically splitting it. However, only 
mappings which satisfy a distributivity constraint in terms of the structure of the 
set of counters may be used. 

The observation that simultaneous nondeterministic transfers arising from trans- 
lating safety lARAi are distributive (cf. the proof of Theorem 3.2), and that dis- 
tributivity enables nonemptiness of the counter automata to be decided in space 
exponential in basis size (cf. the proof of Theorem 3.3), are key components of the 
paper. 

We shall only consider automata with no cycles of e transitions, and they will 
recognise safety languages, so every infinite run will accept some w-word. 

The automata will be faulty in the sense that their counters may erroneously 
increase at any time. 

Formally, for a finite set X and C C V{X) \ {0}, let L{C) be the set of all 
instructions: 

— (inc, c) and (dec,c) for c G C; 

— (transf , /) for mappings / : C — > V{C) which are distributive as follows: when- 
ever c £ C, c C Ui=i °ii an d c- G f(ci) for each i = 1, . . . , k, there exists d G /(c) 
such that d C U*=i c 'i- 

A safety powerset counter automaton with nondeterministic transfers and incre- 
menting errors (shortly, safety IPC ANT) C is a tuple (Y,,Q,qi,X,C,5) such that: 

— E is a finite alphabet; 

— Q is a finite set of states, and qi is the initial state; 

—X is a finite set called the basis, and C C 'P(X)\{0}is the set of counters; 
— S C Q x (S l±l {e}) x L(C) x Q is a transition relation which does not contain a 
cycle of e transitions. 

A configuration of C is a pair (q,v), where q G Q and v is a counter valuation, 
i.e. v : C — > N. We say that (q, v) has an error-free transition labelled by w G 

£ 1+1 {e} and performing I G L(C) to (q',v'), and we write (q,v) (q',v'}, iff 

(q,w,l,q') G S and v' can be obtained from v by I. The latter is defined as follows: 

— instructions (inc, c) and (dec, c) have the standard interpretations, where (dec, c) 

is Arable iff v(c) > 0; 
— v' can be obtained from v by (transf, /) iff there exist K c c , > for each c G C 

and d G /(c), such that: 



for each c G C, v(c) = J2 c >ef(c) K c< for each c ' G C. v '( c ') = Y.f{c)*cf K % 
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in particular, (transf , /) is firable iff v(c) = whenever /(c) = 0. 

For counter valuations v and v^y, we write v < iff, for all c, v(c) < v^(c). To 
allow transitions of C to contain incrementing errors, we define (q, v) — > (q 1 , v') to 
mean that there exist v^j and v'^ with v < v^/, (q, v^) — \^ (q' , v'j) and v'^ < v'. 

We say that C accepts an w-word w over £ iff C has a run (q a , v ) {qi, Vi) - 1 — > 
■ ■ ■ where (q , v ) is the initial configuration (qi, 0} and w — wowi 

Example 2.6. Given Y C X, let f Y (c) = if c n Y ^ 0, and f Y (c) = {c} 
otherwise. Observe that fy is distributive. The instruction (transf, fy) is firable 
iff each counter which intersects Y is zero, and it does not change the value of any 
counter. Hence, we may write (ifz n ,F) instead of (transf, fy)- 

Suppose C — {{x} : x G X}, i.e. the set of counters has no structure. The 
instruction (ifz n , Y) is firable iff each counter {x} for x G Y is zero. Observe that 
every / : C — > V(C) is distributive. For instance, given c G C and nonempty C C 
C, let / c ,c(c) = C" and f c ,c(c') — {c'} for d ^ c. The instruction (transf , f c ,C'} 
nondeterministically distributes the value of c to the counters in C . 

For C as above, let us say that a transition (q, v) — \ (q',v') is lazy iff either 

(q, v) (q',v'), or I is of the form (dec, c), v(c) = and v' = v. Thus, in lazy 

transitions, only incrementing errors which enable decrements of counters with value 

may occur. The following straightforward proposition shows that restricting to 
lazy transitions does not affect the languages of safety IPCANTs. 

Proposition 2.7. Whenever (q,v) (q',v') is a transition of a safety IP- 
CANT C and u-f < v, there exists a lazy transition (q,Vj) (<?',«+} of C such that 
v\ < v'. 

A set L of cj-words over an alphabet S is called safety [Alpern and Schneider 
1987] iff it is closed under limits of finite prefixes, i.e. for each w-word w, if for each 

1 > there exists G L such that the «-prefixes of w and w- are equal, then w G L. 
For each safety IPCANT, the tree of all its lazy runs is finitely branching, so by 
simplifying the argument in the proof of Proposition 2.2, and by Proposition 2.7, 
we obtain: 

PROPOSITION 2.8. The language of each safety IPCANT is safety. 
3. UPPER BOUND 

This section contains a two-stage proof that nonemptiness of safety lARAi is in 
ExpSpace. The first theorem below shows that each such automaton A is trans- 
latable to a safety IPCANT C4 of at most exponential size, but whose basis size 
is polynomially (in fact, linearly) bounded. Nonemptiness is preserved, since C4 
accepts exactly the string projections of data w-words in the language of A. By the 
second theorem, nonemptiness of C4 is decidable in space exponential in its basis 
size and polynomial (in fact, polylogarithmic) in its alphabet size and number of 
states, so space exponential in the size of A suffices overall. 

We start with a piece of notation and a lemma about IPCANT. Suppose C is 
a set of counters over a basis X. For counter valuations and v, let us write 
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v^/ C v iff there exists < v which can be obtained from by performing 
(transf,c i-> {d : c C d}). The lemma states that C is downwards compatible 
with every simultaneous nondeterministic transfer. 

Lemma 3.1. Whenever C t> and t>' is obtainable from v by some (transf , /} 
with distributive f, there exists v'^ obtainable from by (transf, /) and such that 

v 'v - v ' ■ 

Proof. We use the following shorthand: v = U c ec{( c ' 1) , - - - , (c, v(c))}. 

The assumptions are equivalent to existence of: an injective i : v~/ — > v such 
that c C d whenever i(c, i) = (d,j), and a bijective (3 : v — > v' such that f(d) 3 d' 
whenever fl(d,j) = (d',j'). 

For each (c, i) £ wy, we have c C d where t{c,i) — (d,j), and f(d) 3 d' where 
0(d,j) — (d',f), so by distributivity of /, there exists d £ /(c) such that d C d'. 
Hence, there exist a counter valuation v'^, and a bijective /3y : v~j — > v 1 ^ such that 
d £ /(c) and c' C rf' whenever P^/(c,i) = (d,i') and (/3 o t){c,i) = (d',f). It 
remains to observe that (3 o t o /S^ 1 is an injection from to v' . □ 

Theorem 3.2. Given a safety 1ARA 1 A, a safety IPCANT Ca is computable 
in polynomial space, such that C4 and A have the same alphabet, the basis size of 
Ca is linear in the number of states of A, and L(Ca) = {str(cr) : a £ L(A)}. 

Proof. The proof is an adaptation of the proof of [Demri and Lazic 2009, Theo- 
rem 4.4], where it was shown how to translate in polynomial space weak lARAi to 
Buchi nondeterministic counter automata with e transitions and incrementing er- 
rors, and whose instructions are increments, decrements and zero tests of individual 
counters. We show below essentially that, since A is safety, zero tests of individual 
counters, cycles of e transitions and the Buchi acceptance condition can be elim- 
inated using nondeterministic transfers with a suitable basis and set of counters, 
resulting in a safety IPCANT. 

Let A = (£, Q, qi, S). We first introduce an abstraction which maps a finite set 
F of configurations of A at a position i of a data word a over E to a triple (o, Q^, jj) 
such that: a = a(i), Qf is the set of all states that occur in F paired with 
and for each nonempty RC Q, jj(i?) is the number of data D ^ for which R is 
the set of all states that occur in F paired with D. Thus, the abstraction records 
only the letter at position i, and equalities among the datum at position i and data 
in configurations in F. We then observe that nonemptiness of A is equivalent to 
existence of an infinite sequence of abstract transitions which starts from a triple 
of the form (a, {qi}, 0). In other words, searching for a data w-word a over S and 
an infinite run of A on a can be performed one position at a time, while keeping 
in memory only the information recorded by the abstraction. 

Formally, we define Ha to be the set of all triples (a,Q-\-,§) for which a £ S, 
Qt Q Qi an d tt : F(Q) \ {0} -> N. For a data word a over S, a position < i < \a\, 
and finite set F of configurations, let h(a,i,F) = (<r(i), Q^''^~ , tt F, M~), where, for 
each nonempty R C Q: 

Q^'° = {q : (q, D) £ F} f' D (R) = \{D' ± D : Q^' D ' = R}\ 
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To obtain a successor of a member of Ha, for each configuration that it represents, 
sets of states which satisfy the appropriate positive Boolean formula in A are chosen, 
and then two cases are distinguished: either the datum at the next position occurs 
in the next set of configurations, or not. Thus, we write (a, Qf, jj) — > (a', Q'p jf ) iff, 
for each q G Qf, there exist Q q ,Q^ \= 5(q,a,^), and for each nonempty RQ Q, 
j e {1, . . . , tt(i?)} and g e F, there exist Q fl -^«, Q^' j ' 9 |= a, f), such that: 
-either jj' = jjt[Q^ jjt(^) _ i], 
-or Q^ = and jj' = jjt, 

where, for each nonempty R' C Q, D^(F') is defined as 

\{{RJ) ■ \J q e R Q R > i ' 9 = R'}\ + 
( i, if LU Qt u U 9£Qt Ql u U«j U 9£ « Q?' J ' 9 - # 

\ 0, otherwise 

We claim the following correspondence between infinite sequences of transitions 
in Ha from initial triples and infinite runs of A from initial configurations: 

(*) (aoiQ^ifo) ~ > (di,Q\,h) ~~ • • • is an infinite sequence of transitions in Ha 
such that Q® = {qj} and jjo = iff A has an infinite run Fq — \ F\ —4 • • • on 
a data w-word a over £ such that F = {{qi,[0]~)} and (a i7 jjj) = h(a,i,Fi) 
for each i e N. 

One direction is straightforward, since h(a, 0, {(qi, [0]^)}) = (cr(0), {<?/}, 0), and 
F — > F' implies h(a,i,F) — > h(a,i + 1,F'). For the other direction, suppose 
(ao, Qp Do) — ^ ( a ii Qji tSi) — >• • - ■ is an infinite sequence of transitions in Ha, Q° = 
{qj} and Do = 0- For each ieN, let Ui be a data word over £ of length i + 1 and 
Fi be a set of configurations for <7j with (a i; Q!j., |Jj) = h(<Ti,i, Fi), chosen as follows: 

-We take str(cr ) - a , ~ CT ° = {(0,0)}, and F = {(gj, {0})}. 

— Given <7j and Fi, we choose <7j + i and Fj + i for which crj is the (i + l)-prefix of 
<7 i+ i, (a i+ i,Q^. +1 ,Dj+i) = /i(o-j+i,i + l,F i+ i), and F ^4 F+i. 

Now, let cr* be the limit of the <7i, i.e. such that for each i e N, Uj is the (z + l)-prcfix 
of er^ . For each ieN, let F/ be the unique set of configurations for that satisfies 

*i = {<«,£> n{0,...,i}> : (g,D> G f/} 

Observe that |F^| = |Fj|, so F/ is finite. Moreover, h(a\i, fJ) — h(<Ti, i, Fi), so 

h(a\i,F}) = {ai,Q v $i). Finally, since F; ^4 F i+1 , we have F/ ^4 F/ +1 . 

The nondeterministic procedure below guesses an infinite sequence (ao, Qp Do) — ► 
(ai, Qp Di) — > • • • of transitions in Ha such that Q® = {qi} and Do = in the fol- 
lowing manner: whenever the main loop has been performed i times and execution 
is at the end of step (2), a, Q-j- and the counters c store a,, Q^ and % (respectively), 
and all the counters d have value 0. In the notation of the definition above of 
transitions in Ha, each d(R',R'^) is used to count the number of pairs (R,j) such 

that \J qeR Q R : >' q — R' and \J qeR Qf ' j ' q = R[- If one or more choices in steps (3) 
or (4) arc not possible, the procedure blocks. 
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(0) Set c{R) := for each nonempty RC Q, and d(R, R±) := for each R, R± C Q. 

(1) Set Q r := { qi }. 

(2) Choose a G E. 

(3) While c(i?) > for some nonempty R Q Q, do: 
— decrement c(R); 

— for each q G i?, choose Q 9 , |= <5(g, a, Jf); 
—increment d(\J qeR Q\ \J qeR Q\). 

(4) For each q G Qf, choose Q q ,Q\ h S(q,a,t)- 

(5) Increment c([j qeQr Q q U U 9eQt QJ U U d(fi 

(6) While d(R,R±) > for some R,R± C Q, decrement d(R,Ri), and increment 
c(.R) if i? is nonempty. 

(7) Either choose nonempty Q-f with c(Qf) > and decrement c(Q-j-), or Q-j- := 0. 

(8) Repeat from (2). 

By (*), we have that the procedure has an infinite execution such that the letters 
chosen in step (2) are a , <Xi, . . . iff A accepts a data cj-word a such that otj = a(i) for 
each i G N. Therefore, in the remainder of the proof, we show that the procedure is 
implcmentable by a safety IPCANT C4 which is computable in polynomial space 
and whose basis size is linear in \Q\. 

For R, Ri C Q, let 

R = {*} U {q : q G R} R, R± = {f } U {5 : g € U {fj. : g G fy} 

We define the basis of C4 as Qli Q,Q (where we assume disjointness) , and the 

counters of C4 are: R f° r each R Q Q, and -R, for each i?, i?^ C Q. The set 
of counters of C_a is thus essentially V(Q) U P(Q) 2 . Note that, compared to the 
procedure above, C4 has the extra counter 0. 

The states of C4 are used for control, and for storing the letters from E as well 
as the elements and subsets of Q. Step (0) is implemented by default, and steps 
(1), (2), (4) and (8) are straightforward. 

Step (3) can be performed by a single simultaneous nondctcrministic transfer, 
with the mapping 

(R {{J qeR Q q ,U qeR Qj ■■ Vg e R(Q q ,Q} \= S(q,a, f))}, 
R, Ri 1— > iij : R, Ri C Q} 

whose distributivity is a key component of the paper. To show that it holds, suppose 
i? C \J k i=1 ~R\ and Q hq ,Ql q \= S(q, a, f) for each i G {1, . . . , fc} and g G i?\ Given 
g G i?, let i«j be such that g G i?* 9 . We then have, as required: 

The following is an implementation of step (5): 
-Set R> :=U eQt Q 9 UU 9eQt Ql- 
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— For each q e Q, either perform the transfer that verifies that each R, R± with 
q G R± is zero (cf. Example 2.6), or choose R,R± C Q with q <E decrement 
i?, i?4., increment i?, and set R! := i?' U {g}. 

— Increment i?'. 

For step (6), we use the transfer with the mapping 

(R^ (r},Wr1^ {R} ■ R,Rl Q Q} 

which is distributive since R, R± C (J i=1 R i , R± implies R C (Ji=i R 1 . 

Finally, in step (7), if Qf := is performed, then either is decremented or not. 

Observe therefore that the auxiliary counter is transferred to 0,0 in step (3), 

that 0,0 is transferred to in step (6), and that those two counters do not affect 
anything else. 

In step (2), C_a. performs an a transition, and all other transitions are e. However, 
the only cycle in the transition graph of C4 corresponds to the loop (2)-(8), so the 
requirement of no cycles of s transitions is met. 

The only nontrivial aspect of computing C4 in space polynomial in the size of A 
is the implementation of step (3). However, for each RQQ, the set 

{U q eRQ 9 >{J q e R Ql ■ V <? e R(Qi , Q\ h S(q, a,f))} 

can be output by iterating over all mappings q M> {Q q ,Q\) from R to V(Q) 2 . 
Each such mapping can be stored in space 2|Q| 2 , and deciding Q g , Qj |= S(q, a, f) 
amounts to evaluating a propositional formula. 

It remains to show that incrementing errors cannot cause C4 to accept an lo- 
word aodi . . . which it does not accept without incrementing errors. Informally, 
that is the case because incrementing errors in runs of C4 amount to introductions 
of spurious threads into corresponding runs of A, which can only make acceptance 
harder. 

Suppose C4 accepts an w-word aoai . . ., i.e. the implementation of the procedure 
above has an infinite execution E which may contain incrementing errors and which 
chooses in step (2) the letters ao,cii,.... Below, we define an error- free infinite 
execution such that the letters chosen in step (2) are also ao,a\,..., and we 
show by induction that the following are satisfied before each step: 

(i) ?V — v Lemma 3.1), where v and v^/ are the current counter valuations in 
E and E^ (respectively); 

(ii) C Q^, if Q-j- and are defined, where they are the current values of the 
variable in E and E^ (respectively). 

Initially, we have that v and v^j equal 0, and that Qy and are undefined, so the 
inductive base is trivial. We also have that C v and v < v' imply »y C u', i.e. 
the C relation is preserved by incrementing errors in the second argument. 

Steps (1) and (2). E^j performs the same transitions as E. 
Steps (3) and (6). E^ performs the transfers as in Lemma 3.1. 
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Step (4)- For each q G C Q-f, the same Q q and are chosen in /iy as in _E. 



S'iep f5j. For each q G Q, if there exist i?V and i?^ 3 q such that v^(R^, R^) > 

0, we have by (i) that there exist R and R± 9 q such that i?^) > 0. It follows 
that R'^y C i?', where i?' is the value of the variable after the implementation of 
step (5) is executed in E, and R'^ is the value after the unique error-free execution 
in E^j. Hence, (i) is preserved. 

Step (7). Let l : v~/ — > v be an injection (cf. the proof of Lemma 3.1), and be 
the value chosen in E. If is decremented and t(Q^,i) = (Q-f,j) for some , 

i and j (in particular, C Q^), then choose such in E^ and decrement . 
Otherwise, choose in E^ without decrementing. 

That completes the definition of E^ and the proof. □ 

Theorem 3.3. Nonemptiness of safety IPCANT is decidable in space exponen- 
tial in basis size and poly logarithmic in alphabet size and number of locations. 

PROOF. Suppose C = (£, Q, q u X, C, S) is a safety IPCANT. By Proposition 2.7, 
C is nonempty iff it has an infinite sequence of lazy transitions from the initial 
configuration. 

We define positive integers oti and Ui for i = 0, . . . , \X\ as follows: 

ao = \Q\ U a = 1 a i+1 = 2(LY| - i)a t uf^ U i+1 = 3a,C/j C| 
I el 

Let m = 2a|x|f|_ x - • We shall show: 

(I) If C has a sequence of m — 1 lazy transitions from the initial configuration, then 
it has an infinite sequence. 

Therefore, nonemptiness of C can be decided nondeterministically by guessing a 
sequence of to — 1 lazy transitions from the initial configuration. In every such 
sequence, each transition increases the sum of all counters by at most 1, so no 
counter can exceed to - 1. Since to < 2 22m + W lo s(3|Q|) an( j |^| < 2 I*I ; a single 
configuration can be stored in space 

2?(\x\ )o(log|Q|). To guess a sequence of 
length m— 1, it suffices to store at most two configurations, the number of transitions 
guessed so far, and a fixed number of variables bounded by \C\ = 2 2 " " 0(|S| • \Q\) 
for indexing the transition relation of C. Hence, nonemptiness of C is decidable 
nondeterministically in space 2°d x l '0(log(|S| • |Q|)), so by Savitch's Theorem, 
there is a deterministic algorithm of space complexity 2°d x l )0(Iog(|E| • |Q|) 2 ). 

To show (I), suppose C has a sequence of lazy transitions S = (qi,v\) - 1 — > 
■ ■ ■ Wm zl^ n ~ 1 (q m7 v m ) from the initial configuration, but no infinite sequence. By 
careful repeated uses of the pigeonhole principle and the distributivity of simul- 
taneous nondeterministic transfers, we shall obtain the contradiction that 5* must 
contain two equal configurations. To start with, some state must occur among 
qi, . . . , q m at least m/\Q\ times, so let q G Q and J C {1, . . . , to} be such that 
| Jo | = m/aoU~Q 1 and qj — q for each j G Jo- We claim: 
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(II) There exist an enumeration xi, . . . , x\x\ of X, and for i = 1, . . . , \X\, mappings 
Ui : d — > {0, . . . , Ui — 1} where C, = {c £ C : Xj G c A Xi,. . . , Xj_i £ c}, 
and subsets Ji of {1, ... , m} of size raj (XiU\ , such that the following property 
holds for each < i < \X\: for all j G Ji, we have that qj = q and that for all 
1 < i' < i and c G CV, Vj(c) — Ui'(c). 

We establish (II) by proving the property inductively on i and simultaneously 
picking Xi, m and Ji. The case i — is trivial. Assume that < i < \X\ and that 
x^, Ui> and Jj/ for i' = 1, . . . ,i have been picked so that the property holds for i. 
Let us call a subsequence of S an i-subsequence iff there exist consecutive j,j' G Ji 
(i.e. where there is no j" £ Ji with j < j" < f) such that the subsequence begins 
at (qj,Vj) and ends at {qj',Vj'}. Let J 2 ' C Ji consist of the beginning positions 

of the \Ji\/2 = m/2aiU~l shortest i-subsequences. The length of the longest of 

lei 

those i-subsequences must be at most 2aiU\ , since otherwise there would be at 

least \Ji\/2 i-subsequences of length more than m/(\Ji\/2). Let St = {q h Vj) "H 3 

• • • 3 1 {qj',Vj>) be an i-subsequence with j G J[. We have j' — j < 2aJJ^\ 

qj = q,y = q, and for all 1 < i' < i and c e CV, Vj(c) — Vji(c) = Mj'(c). Recalling 

that u v \ C V {0, . . . , - 1}, we obtain Yll>=i EceC,, w j'( c ) ^ Ei'=i C^' 1^'- 
To make progress, we prove: 

(III) There exists x'j ^ x\, . . . , Xi such that, for each c with x'j G c and xi, . . . , Xi ^ 

c,v j (c)<2a i u\ C \+^ l=1 \C i ,\U i >. 

Suppose the contrary: for each x' ^ x\, . . . ,Xi, there exists <v such that x' G c x ', 
xi, . . . , Xi £ c x i, and Uj(<v) > 2aiU\ C ^ + J2l'=i \Ci>\Ui>. Let H be a directed acyclic 
graph on {j, ...,/} x C, defined by letting the successors of {k, d) be: 

-0, if k = f; 

—{(k + 1, d!) : d' G f(d)}, if l k is of the form (transf , /); 
— {(k + 1, d)}, otherwise. 

Now, for c G C and fc G {j, . . . ,j'}, let H(c, k) be the set of all d such that {k, d) is 
reachable in H from (j, c). We have X^e-HYc fe) u fc(^) — w j( c ) — — i) by induction 
on k. In particular, for each x' ^ xi, . . . ,Xj, we have X^e-HYc / j') (^) — u jOv) ~ 

(.?' - j) > Ei'=l ICi'l^i' ^ Ei'=l EceC,, u .j'( C )' so there is some e H (Cx>,f) 

such that xi,..., xj ^ d x '. Let i? x / be a path in H from (j, c x <) to (j',d x >). For 
€ {j, . . . , j'}, let H x i(k) denote the counter at position fe in H x i . 
Consider any c with x\, . . . , ^ c. Observe that c C (Jfc^/ : x' G c}. Let i? c be 

a path in H from (j, c), obtained as follows. Assuming that fc G {j, ...,f — 1} and 

flc(fc) CU{^x'(fc) : a:' ec}: 

— if /fc is of the form (transf, /), by distributivity of / and the definition of H, we 
can pick H c (k + 1) C {j{H x ,(k + 1) : x' G c}; 

— otherwise, we have H x >(k + 1) = H x >(k) for each x' G c, and the only possibility 
is H c (k + 1) = ff c (fc). 

Since H c (j') C U{-^x'(j') : x' G c}, we conclude that 

i HcW). 
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Using the paths H c , we now show that, from the final configuration of S', the 
instructions in St can be performed repeatedly to obtain an infinite sequence of 
lazy transitions, which is a contradiction, so (III) holds. More precisely, since 
Vj(d) = Vji (d) for all 1 < i' < i and d G G\>, and H c (j) = c for all c, by (IV) below 

from Vji for k = j, . . . , j' — 1, there exist lazy transitions (qj, Vji) -^4 ■ ■ ■ 3 1 
(qji,v'j,) such that v'j,(d) < Vj'(d) for all d {H c (j') : x\,...,Xi c }. But 
{Hc(j') ■ x\, . . . , Xi f. c} C {c : x\, . . . ,Xi £ c}, so (IV) can be applied from v'-, 
for k = j, . . . , f — 1, etc. 

(IV) Suppose fee {j, . . . , j' — 1}, and v' k is a counter valuation such that v' k (d) < 
Vk{d) for all d {H c (k) : x\,...,Xi £ c}. There exists a lazy transition 

(Qk,v' k ) "H fc (q k +i,v' k+1 ) such that v' k+1 (d) < v k+1 (d) for all d £ {H c (k + 1) : 
Xi, . . . , Xi ^ c}. 

To show (IV), we distinguish between two cases: 

— If l k is of the form (transf , /), let K$, > for each d G C and d' G / (d) satisfy 

for each d G C, v k (d) = J2d>ef(d) K d> 
for each d' G C, u fc+ i(d') = T,f(d)3d> K d> 

For d £ C such that ^(d) < v k (d), pick any > such that v' k (d) = 

Ed'ef(d) K "d> and K'% < K% for each d' G /(d). For d G C such that v' k (d) > 
v k (d), we have d — H c (k) for some c with zi, . . . , Xi £ c, so we can set if ^, = K% 
for all d' G /(d) \ {ii c (fc + 1)}, and #l c(fe+1) - ^ c(fe+1) + v' k (d) - v k (d). Now, 

for each d' G C, let v' k+1 (d') = T,f(d)3d> K %-> so that "H" (<Zfc+i,<+i) 

lazily. Since K' d , > Kf, implies d' G {H c (k + 1) : x\, . . . , Xi ^ c}, we have 
Wfc+iW < «fe+i(d') for all d' £ {ii c (fc + 1) : x u . . . , a* £ c}. 

— Otherwise, v^+i is uniquely determined by the lazy transition (qk,v' k ) w -^ 1 4 t 
(q k+ i,v' k+1 ), and has the required property as H c (k + 1) = H c (k) for all c. 

For each j G let x^- ^ x\, . . . ,Xi be as in (III). For each c with x'j G c and 

a?i, . . . ,Xi c, we have Vj(c) < Ui+i. Let Xi+i be such that there exists J" C J| 

of size | J 4 '|/(|V| — i) = m/aj+i with Xi+i — x'j for all j G </■'. Thus, for all j G J" 

and c G Cj+i, we have Vj(c) < ?7j+i. Then let Mj+i : Cj + i — > {0, . . . , L^+i — 1} be 

such that there exists J i+ i C J" of size m/a i+ if/- + } with Uj(c) = Wj + i(c) for all 

j G Jj+i and c G Cj+i- That completes the inductive proof of (II). 
Ici 

Since m = 2a|x|C^ X | , we have from (II) that S contains two equal configurations, 
so C has an infinite sequence of lazy transitions from the initial configuration. That 
is a contradiction, so (I) is shown. □ 

By Theorems 3.2, 3.3 and 2.5, we obtain: 

Corollary 3.4. Safety lARAi nonemptiness and safety LTL\(X,R) satisfiabil- 
ity are in ExpSpace. 
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4. LOWER BOUND 

Theorem 4.1. Safety 1ARA\ nonemptiness and safety LTL\(X,R) satisfiability 
are ExpSPACE-hard. 

PROOF. By Theorem 2.5, it suffices to show ExpSPACE-hardness of satisfiability 
for safety LTL{(X, R). We shall reduce from the halting problem for Turing machines 
with exponentially long tapes. More precisely, a Turing machine M is a tuple 
(E,a,B,Q,qi,5) such that: 

— S is a finite alphabet, and sb£S denotes the blank symbol; 
— Q is a finite set of states, and qi G Q is the initial state; 
— S :QxE- >QxSx{— 1,1} is the transition function. 

If the size of M. is n, we consider its computation on a tape of length 2™. More 
formally, a configuration of M is of the form (q,i,w) where q G Q is the machine 
state, < i < 2 n is the head position, and w G S 2 is the tape contents. The initial 
configuration is (qi, 0, a 2 B ). A configuration (q, i, w) has a transition iff < i + o < 
2" where (q' , a, o) = S(q, w(i)). In that case, we write (q, i, w) — > (q' , i+o, w[i h-» a]). 
Since Ai can halt by requesting to move the head off an edge of the tape, it does 
not need to have a special halting state. 

The following problem is ExpSPACE-complete: given M = (T,,aB,Q,qi,S) of size 
n, is the computation from the initial configuration with tape length 2™ infinite? (To 
reduce in polynomial time from the same problem with tape length 2™ fc , extend the 
machine by unreachable states until it is of size n k .) We shall show that a sentence 
<j>M of safety LTL^(X, R) is computable in space logarithmic in n, such that the 
answer to the decision problem is 'yes' iff <j>M is_ satisfiable. 

Let S = {a : a G S}. The alphabet of (f> M is £ = Q l±l {0^, l d : d G {1, . . . , n}} W 
S l±) S. To encode a tape cell, we write its position in binary followed by its contents. 
A configuration {q, i, w) is then encoded by the word below, where X is used to mark 
the contents at head position. Let w(i,i) — w(i), and w(j,i) = w(j) for j i. 

gOi ••• 0„_i0„ w (CM)0i ••• 0„_il„«;(l,i) ••• li ••• l n - 1 l n w(2 n 

The computation of Ai from the initial configuration with tape length 2 n is 
infinite iff there exists a data w-word a over S such that: 

(i) str (a) is a sequence of encodings of configurations of M; 

(ii) str(cr) begins with the encoding of the initial configuration (qi, 0,a 2 B ); 

(iii) for every two consecutive encodings in str(o-) of configurations (q,i,w) and 
(q',i',w'), we have (q,i,w) — > (q',i',w'). 

Hence, it suffices to construct (j>M such that a satisfies (j>M iff (i) — (iii) hold and: 

(iv) for every encoding in a of a tape cell, all the letters bd and w(j, i) are in the 
same class; 

(v) for every two encodings in a of tape cells with positions j and j' (occuring in 
one or two configuration encodings), their classes are the same iff j = j' . 

The purpose of (iv) and (v) is to enable navigation through a for checking (i)-(iii) 
in whose size will be only polynomial in n. 
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For (i), we can split it into the following constraints, each of which is straight- 
forward to express: 

— the first letter is a state of M. ; 

— every state of M. is succeeded by Oi • • • 0„_i 0„; 

— every b n is succeeded by an element of £ l+l S; 

— for every bd not succeeded by ld+i • • • 1„, bd occurs n + 1 positions later (the 
next position has the same binary digit d); 

— for every 0<j succeeded by l^+i • • • 1«, Id Od+i • ■ • 0„ occurs n + 1 positions later 
(the next position has the opposite binary digit d); 

— li • • • l„_i 1„ followed by an element of E l±l E are succeeded by a state of M; 

— between every two consecutive occurrences of states of Ai, there is exactly one 
occurrence of an element of E. 

Properties (ii) and (iv) are also straightforward. Before (hi), let us consider (v), 
which is equivalent to the following conjunction: 

(v.l) for every two encodings of tape cells, if their classes are the same then their 
positions are the same; 

(v. 2) for every encoding of a tape cell, some tape cell in the next configuration 
encoding has the same class. 

The more involved is (v.l). It amounts to requiring that, for all d G {1, . . . , n} and 
b G {0, 1}, it is not the case that there is an occurrence of bd and a subsequent 
occurrence of (1 — b)d with the same datum: 



where a abbreviates V{ a ' : a' G E \ {a}}. 

Property (iii) is now equivalent to asserting that the following hold for all q G Q 
and a G E, where (q',a',o) = 5(q,a): 

(111.1) whenever q occurs with a in the same configuration encoding, the next oc- 
currence of a state of M is q'; 

(111. 2) for every occurrence of some b G E in a configuration encoding which contains 
q and a, the next occurrence in the same class of an element of E l+l E is an 
occurrence of b or 6; 

(111. 3) for every occurrence of a in a configuration encoding containing q, the next 
occurrence in the same class of an element of E l±l E is an occurrence of a', and 
n positions earlier (if o = — 1) or later (if o = 1) an element of E occurs. 

The most involved is (iii. 3), and the two cases of o = —1 and o = 1 arc similar. 

Letting E and E abbreviate : b G £} and \J{b : b G E \ E} (respectively), 
(iii. 3) with o = — 1 is expressed by: 



ALiAL G(^V|XG((l-&) d V^)) 
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To obtain a sentence of safety LTLj(X, R) in the strict sense, we convert to negation 
normal form: 

G^V ^Er(SV|x(er(E VX n (a' At)))) 

To output E and (j>M given M as above, a fixed number of counters which are 
bounded by n suffice. □ 

5. INCLUSION AND REFINEMENT 

Using well-quasi-orderings, the proofs of Theorems 3.2 and 3.3, and that satisfia- 
bility over finite data words for LTL^(X,F) is not primitive recursive [Demri and 
Lazic 2009, Theorem 5.2], we obtain the result below. 

We remark that, in a similar manner, one can show that the following "model- 
checking" problems are decidable and not primitive recursive: whether the language 
of a Biichi one-way nondeterministic register automaton (with any number of regis- 
ters) is included in the language of a safety lARAi or a safety LTL^(X, R) sentence. 

Theorem 5.1. The following problems are decidable and not primitive recursive: 

— inclusion for safety lARAi; 

— refinement for safety LTL\(X,R). 

Proof. By Theorem 2.5, it suffices to establish that inclusion for safety lARAi 
is decidable and that refinement for safety LTL^(X, R) is not primitive recursive. 

For the former, suppose Ai — (E, Qi, qj, 5i) and Ai = (E, Q 2 , qj, S2) are safety 
lARAi, where we need to determine whether L(_4,i) C L(A2)- 

Let A2 = (E, Q 2 , qj, $2} be the dual automaton to A2, so that each formula 
S2(r, a, ?) is the dual to 5 2 {r, a, ?), i.e. obtained by replacing every T with _L, every 
A with V, and vice versa. Let L(^) denote the language of A2 with respect to 
co-safety acceptance: a data w-word a over E is in L(*4 2 ) iff A2 has a finite run 
F F\ — > • • • where F = {{qj, [0]^)}. Considering A 2 (resp., A 2 ) as a weak 
alternating automaton whose every state is of even (resp., odd) parity, we have by 
[Loding and Thomas 2000, Theorem 1] that L(.4 2 ) is the complement of L(.4 2 ). 

Now, let A n be the automaton for the intersection of Ai and A 2 , obtained by 
adding a new initial state. More precisely, assuming that Q\ and Q2 are disjoint 
and do not contain qi, let An = (E, {qi} U Q\ U Q 2 , qi,S n ), where 

5n = {{qi,a,l)^5 1 {q),a,l)AT2{qj,a,l) : a e E, ? £ {t, f}} U 8 1 U T 2 

The acceptance condition of An is inherited from A\ and A2 '■ a data w-word a over 
E is in L(*4 n ) iff An has an infinite run F F\ -^4 • • • where F = {{qi, [0]^)} 
and there exists i such that Fi contains only states in Q\. We then have that 
L(^ n ) = L(A) n L(Az), so L(^ n ) is empty iff h{Ai) C L(A 2 )- 

Let C n be the IPCANT computed from A n as in the proof of Theorem 3.2, except 
that the following step is added between steps (6) and (7), where q^ is a new state 
and implementation is similar to that of step (5): 

(6^) If c(R) = for all R which intersect Q2, then pass through q^. 
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We thus have that L(.A n ) is nonempty iff C n has an infinite run (<7oj w o) ~^A> 

(qi, v\) ••• where (qo,vo) is the initial configuration and there exists i such 

that qt = q\. 

We define < to be the following quasi-ordering on configurations of Cn- (q,v) ^ 
(q' , v') iff q = q' and v < v' . By Dickson's Lemma [Dickson 1913], ^ is a well-quasi- 
ordering: for every infinite sequence so, si, . . ., there exist i < j such that Sj ^ Sj. 
Now, consider the following procedure: 

(i) Let S consist of the initial configuration of C n • 

(ii) Let S' be the set of all successors of configurations in S by lazy transitions. 

(iii) If for all s' £ S' there exists s 6 S with s ^ s', then stop. Otherwise, set S to 
S U S', and repeat from (ii). 

Since ^ is a well-quasi-ordering, the procedure terminates. Let Siast denote the 
value of S at the termination. It is a finite set, and by Proposition 2.7, its upward 
closure 1r<Si as t = {s' : 3s 6 S\ ast (s ^ s')} is the set of all configurations which C n 
can reach from the initial configuration. 

To conclude decidability of inclusion for safety 1 ARAi , it remains to show that we 
can decide whether ifSiast contains a configuration whose state is q\ and from which 
C n has an infinite run. But that is the case iff S'last contains such a configuration, 
and for any configuration (q,v), we have by the proof of Theorem 3.3 that C n has 
an infinite run from (q, v) iff it has a sequence of m — 1 lazy transitions from (q, v), 
where m is as computed in that proof. 

We now turn to showing that already validity for safety LTLj(X, R) is not primitive 
recursive. We reduce (in logarithmic space) from satisfiability over finite data words 
for LTL^(X,F), which is not primitive recursive by [Demri and Lazic 2009, Theo- 
rem 5.2]. In negation normal form, the latter logic differs from safety LTL^ (X, R) by 
having temporal operators X, F and G instead of R. Over finite data words, X and 
its dual X are distinct: at any final word position and for any X(f> is false whereas 
%4> is true. 

Consider the following translation from formulae of LTL^(X, F) in negation normal 
form with alphabet E to formulae of co-safety LTL^(X,R) with alphabet E l±l {x}. 
Only cases where the construct is modified are shown. 

t(U) - m4>) A Vaes a) *(F0 = (V ae s a)<W) A V ae s «) 
t(J4>) - m<P) V x) - (i(0) A V aeE a)Ux 

Given a sentence 0, we have that a data w-word a over E 1+1 { x } satisfies = 
t{4>) A (Vaes a ) A (TUx) iff there exists i > such that the i-prcfix of a does not 
contain x and satisfies </>, and a(i) = x. It remains to observe that the dual of is 
a sentence of safety LTL^(X, R), which is valid over data w-words iff <j> is satisfiablc 
over finite data words. □ 

6. CONCLUDING REMARKS 

Satisfiability (over timed cj-words) for the safety fragment of metric temporal logic 
(MTL) was shown decidable in [Ouaknine and Worrell 2006] , and nonelementary in 
[Bouyer et al. 2008] by reducing from termination of channel machines with empti- 
ness testing and insertion errors. It would be interesting to investigate whether 
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ideas in the proof of Theorem 3.3 above can be combined with those in the proof of 
primitive recursiveness of termination of channel machines with occurrence testing 
and insertion errors [Bouyer et al. 2008] to obtain that satisfiability for safety MTL 
is primitive recursive. 

Another open question is whether nonemptiness of safety forward alternating tree 
automata with 1 register [Jurdzihski and Lazic 2007] is primitive recursive. 
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